Messages

Hi All

I love where the multiple Blocklists we are soon to get in Business Edition.
For my Community installs, there is an appreciable warning about ensuring source nets do not overlap.

When I put in all Class A, B, and C local subnets, the window should allow me to add them.
It appears to prevent me from the GUI, however, if I edit the config, and add the subnets manually.
The system will allow the setting to apply.

Can we remove the edit, but keep the warning about adding source nets of different CIDR /xy sizes?

Attached: One screenshot showing it is possible when re-writing the config file.
The other is the screen edit preventing from doing the same via the web gui.

Thanks

YFA

Also, in case it hasn't been reiterated, you might want to additionally prevent devices like Android and iOS from escaping your DNS and attempting DNS over HTTP.

I recommend using a Floating rule, connected to a URL alias to v4/v6 lists, to keep those devices in check:

https://github.com/crypt0rr/public-doh-servers
https://github.com/oneoffdallas/dohservers/tree/master
https://github.com/dibdot/DoH-IP-blocklists/tree/master

Use a Firewall group to restrict your NAT and the rule above to local Interfaces and not interfere with the Firewall's ability to access DNS resources.

Here is also an older post on the matter:
https://forum.opnsense.org/index.php?topic=33931.0

Watch your Apple users start to hate you haha.

You could put a stock FreeBSD on it, complete with its own EFI partition, then make that a sort of rescue OS for it.

I already put a copy of Memtest86+ with grub on it. The latest release, along with editing the grub.cfg file. It is now possible to enable the serial console to give it some diagnostic ability in a headless environment.

Still all of the above would still fit on a much smaller SSD. I might swap it out for an ssd of 128G or less.

Cheers

For good measure,  i usually go into each interface and specify "Prevent Interface Removal"

I have had great success setting up a OPNsense firewall for each of my clients. I feel they are far better protected than any of the "business" solutions offered by the ISP.

I think this is related,  as that error is the top of what is happening here.

I highly recommend pulling back this release before more folx upgrade their production systems

https://forum.opnsense.org/index.php?topic=43474.0

Hi all

Where are we with this?

I just upgraded both, and this only happens on BE, the most up to date CE appears to be doing just fine.

It's just in my VMs. I'm glad I tried the upgrade, which both succeeded fine. I'll hang back and re-upgrade my 24.4 VM at a later time, try again and make sure it's working fine before I upgrade my main system, as well as of my subscribing clients.

Thank you

There might also be tunables like this they can coerce the Intel chip to cooperate with the modules:

hw.ix.unsupported_sfp
Force Intel driver to use unsupported SFP+ modules. Def: 0             
boot-time
Set the value to: 1

Here is a shot of a rules table

Hi All

I wanted to reach out and discuss the Cicada theme, which is a gorgeous dark mode of the stock theme.

I thought the screen brightness was more dim than usual, however, I am finding reading text a little harder unless I cut out more light in the room.

The change happened on package os-theme-cicada version 1.36, from 1.35 .

It feels like the brightness was affected globally, or like an alpha blending of 0.70 was applied against black as the background. I am not a huge fan of the graphics being all around darker, however, can we make the text a bright white, or at least like in 1.35?

Screenshots attached of BE edition (1.35) and CE 24.1.10_8 (1.36). Not shown, but a applies to CE 24.7.0_5 too.

Thanks

YFA

add an allow rule for the interface shown with the error Default deny / state violation rule

That seems more for a hardware (even if VM) question. What are you using for your VM management?

We'll check that out, or at least a 10 year, aligned with how often we renew domains etc.

something is filling up the logs very fast, I wish there was a way to see each log area and get the totals of each size.

For now you need to do the following to see which one is swelling up. Log in to the box via console, ssh, serial.

cd /var/log
du -hscx -- *

From there it will depend what you need to address, maybe you have disk issues, network card causing too many interrupts, someone is trying to break in through the firewall, you have a device constantly requesting an ipv6 address

When you see which one is largest, it will have a latest.log, dmesg, syslog etc.

You can run this to watch the log and keep refreshing even if the file is rotated:

tail -F logFile

Those should work fine and deliver on vlan. they're a bonus having some level of prioritization. I use the GS308EP series. I think the gs108 should be similar. I don't do port bonding/lagg, and these do only a more basic mode than lacp.